[Security Weekly] Tesla Fixes Model X Software Flaw That Allowed Car to Be Stolen in Minutes

cover image

4th Week of November 2020


1. Tesla fixes Model X software flaw that allowed car to be stolen in minutes

A Belgian researcher at the Catholic University of Leuven (KU Leuven) disclosed a critical flaw in the Tesla Model X that allowed hackers to take control over the key fob and steal the vehicle within minutes.

According to the researcher, the flaw only takes a couple hundred dollars to exploit. The hacker would first need to purchase an electronic control unit (ECU) from an older version of Model X, which can be easily found online. They would then need to modify the old ECU to pair it with the targeted car owner’s key fob. Once paired, they would be able to install malicious malware into the key fob via Bluetooth, and extract the unlock commands to unlock the car.

Before publicly disclosing the flaw, the researcher notified Tesla’s cybersecurity team back in August. As of now, the flaw has been fixed with the latest software updates.

Like computers, connected cars are highly vulnerable to hacking and cyberattacks. This is why all new vehicles manufactured today are required to have built-in cybersecurity measures that secure all communications to and from the vehicle. AUTOCRYPT is one of the world’s only few automotive cybersecurity providers that supply crucial security parts to global automakers, along with German-based ESCRYPT and US-based Qualcomm. To learn more about AUTOCRYPT, click here.

Sources: ZDNet, Bleeping Computer


2. Spotify faces credential stuffing attack compromising 350,000 user accounts

On November 24, security researchers at vpnMentor publicized a cybersecurity incident that took place back in July, where an estimated 350,000 Spotify user accounts were compromised by hackers.

In early July, the researchers found an unprotected Elasticsearch database with a size of 72GB, containing 380 million records of login credentials and user data from Spotify. These records included personally identifiable information (PII), email addresses, and unencrypted usernames and passwords. Fortunately, the 350,000 compromised accounts only made up 0.1% of Spotify’s 300 million active user accounts.

Apparently, the exposed data was not stolen directly from Spotify because the passwords were unencrypted. Experts believe that the login credentials were cracked by launching a credential stuffing attack using leaked credentials from other data breaches. Spotify was made aware of the issue immediately after the discovery, and forced a password reset for all affected accounts to ensure that these exposed credentials would no longer be valid.

To prevent credential stuffing attacks, having a multi-factor authentication (MFA) procedure in place is essential. Penta Security’s iSIGN+ is an appliance-type single sign-on MFA solution that helps businesses manage all their crucial accounts with a single login process, offering security and convenience at the same time. To learn more about iSIGN+, click here.

Sources: ZDNet, Infosecurity


3. Personal data of 16 million Brazilian COVID-19 patients breached

The personal and health information of over 16 million Brazilian patients who were infected with COVID-19 were exposed to the public. Among the list included the data of President Jair Bolsonaro and his family, seven government ministers, and 17 state governors.

The leak originated in early November, when a hospital employee uploaded a spreadsheet containing the login credentials to key government databases on GitHub. Whether the act was by mistake or intentional remains unclear. One of the leaked databases contained the details of COVID-19 patients with mild symptoms, while another kept track of hospitalized patients. Personal information including names, home addresses, ID numbers, and medical histories of over 16 million patients was included.

The spreadsheet was discovered by a GitHub user, who immediately reported the issue to local news media. The spreadsheet was later removed from GitHub, after which the Brazilian Ministry of Health changed the login credentials to the leaked databases.

Sources: ZDNet, Tech Times


4. Manchester United suffers suspected ransomware attack

On November 20, English football club Manchester United suffered a cyber attack that forced it to shut down parts of its internal IT systems.

Yet, the club provided very few details about the attack. Its official website and mobile apps remained functional and matches were unaffected. The club said that they had been working with security experts to mitigate the attack and that damages were kept to a minimum. It also claimed that there had been no evidence suggesting that any personal data of its fans and customers were compromised.

Even though no official confirmation was provided, by looking at the club’s response, the attack was likely a ransomware infection that forced the club to shut down its IT systems to prevent further damages.

Sources: Infosecurity, The Guardian


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security